[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
EXAMINATION OF THE GAO AUDIT SERIES OF HHS CYBERSECURITY
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
JUNE 20, 2018
__________
Serial No. 115-142
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
35-126 PDF WASHINGTON : 2019
--------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON ENERGY AND COMMERCE
GREG WALDEN, Oregon
Chairman
JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey
Vice Chairman Ranking Member
FRED UPTON, Michigan BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois ANNA G. ESHOO, California
MICHAEL C. BURGESS, Texas ELIOT L. ENGEL, New York
MARSHA BLACKBURN, Tennessee GENE GREEN, Texas
STEVE SCALISE, Louisiana DIANA DeGETTE, Colorado
ROBERT E. LATTA, Ohio MICHAEL F. DOYLE, Pennsylvania
CATHY McMORRIS RODGERS, Washington JANICE D. SCHAKOWSKY, Illinois
GREGG HARPER, Mississippi G.K. BUTTERFIELD, North Carolina
LEONARD LANCE, New Jersey DORIS O. MATSUI, California
BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida
PETE OLSON, Texas JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia JERRY McNERNEY, California
ADAM KINZINGER, Illinois PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia BEN RAY LUJAN, New Mexico
GUS M. BILIRAKIS, Florida PAUL TONKO, New York
BILL JOHNSON, Ohio YVETTE D. CLARKE, New York
BILLY LONG, Missouri DAVID LOEBSACK, Iowa
LARRY BUCSHON, Indiana KURT SCHRADER, Oregon
BILL FLORES, Texas JOSEPH P. KENNEDY, III,
SUSAN W. BROOKS, Indiana Massachusetts
MARKWAYNE MULLIN, Oklahoma TONY CARDENAS, California
RICHARD HUDSON, North Carolina RAUL RUIZ, California
CHRIS COLLINS, New York SCOTT H. PETERS, California
KEVIN CRAMER, North Dakota DEBBIE DINGELL, Michigan
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia
JEFF DUNCAN, South Carolina
Subcommittee on Oversight and Investigations
GREGG HARPER, Mississippi
Chairman
H. MORGAN GRIFFITH, Virginia DIANA DeGETTE, Colorado
Vice Chairman Ranking Member
JOE BARTON, Texas JANICE D. SCHAKOWSKY, Illinois
MICHAEL C. BURGESS, Texas KATHY CASTOR, Florida
SUSAN W. BROOKS, Indiana PAUL TONKO, New York
CHRIS COLLINS, New York YVETTE D. CLARKE, New York
TIM WALBERG, Michigan RAUL RUIZ, California
MIMI WALTERS, California SCOTT H. PETERS, California
RYAN A. COSTELLO, Pennsylvania FRANK PALLONE, Jr., New Jersey (ex
EARL L. ``BUDDY'' CARTER, Georgia officio)
GREG WALDEN, Oregon (ex officio)
C O N T E N T S
----------
Page
Hon. Gregg Harper, a Representative in Congress from the State of
Mississippi, opening statement................................. 1
Prepared statement........................................... 2
Hon. Diana DeGette, a Representative in Congress from the state
of Colorado, opening statement................................. 2
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, prepared statement..................................... 4
Witnesses
Sherri Berger, Chief Operating Officer, Centers for Disease
Control and Prevention
Suzi Connor, Chief Information Officer, Centers for Disease
Control and Prevention
Beth Killoran, Chief Information Officer, U.S. Department of
Health and Human Services
Greg Wilshusen, Director, Information Security Issues, Government
Accountability Office
Submitted Material
Subcommittee memorandum.......................................... 6
EXAMINATION OF THE GAO AUDIT SERIES OF HHS CYBERSECURITY
----------
WEDNESDAY, JUNE 20, 2018
House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 1:00 p.m., in
room 2123, Rayburn House Office Building, Hon. Gregg Harper
(chairman of the subcommittee) presiding.
Present: Representatives Harper, Griffith, Brooks, Collins,
Barton, Walberg, Walters, Costello, Carter, Walden (ex
officio), DeGette, Castor, Tonko, Clarke, and Ruiz.
Staff Present: Jennifer Barblan, Chief Counsel, Oversight
and Investigations; Karen Christian, General Counsel; Ali
Fulling, Legislative Clerk, Oversight and Investigations/
Digital Commerce and Consumer Protection; Jennifer Sherman,
Press Secretary; Alan Slobodin, Chief Investigative Counsel,
Oversight and Investigations; Peter Spencer, Professional Staff
Member, Energy; Jessica Wilkerson, Professional Staff Member,
Oversight and Investigations; Julie Babayan, Minority Counsel;
Chris Knauer, Minority Staff Director, Oversight and
Investigations; Miles Lichtman, Minority Policy Analyst; Kevin
McAloon, Minority Professional Staff Member; and Samantha
Satchell, Minority Policy Analyst.
OPENING STATEMENT OF HON. GREGG HARPER, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MISSISSIPPI
Mr. Harper. Good afternoon. We are here today to hold a
hearing examining the ongoing GAO audit series of HHS
cybersecurity programs.
Since the Committee submitted its request to GAO in 2013,
GAO has performed three audits of major operating divisions
within HHS. Today's hearing will provide an opportunity for the
subcommittee to learn more about GAO's findings over this
series of audits as well as the steps taken by HHS and its
operating divisions to respond to these findings.
Given that GAO has completed three of these audits, today's
hearing will also provide an opportunity to examine HHS
cybersecurity roles and responsibilities. These GAO audits
provide a valuable opportunity for HHS and its operating
divisions to reflect on its cybersecurity capabilities and
improve from one to the next. Today's hearing will allow us to
explore whether or not HHS has indeed taken advantage of these
opportunities in the way that we would hope and expect that the
Department has.
Given the sensitivity of some of the findings identified by
GAO, we have determined that it is appropriate for the bulk of
this hearing to take place in a closed session. After opening
remarks by Ranking Member DeGette, the subcommittee will vote
to enter a closed session and then proceed from there.
I want to thank our witnesses for appearing today.
And I now recognize Ms. DeGette for any public comments
before we vote to go into closed session.
[The prepared statement of Mr. Harper follows:]
Prepared statement of Hon. Gregg Harper
Good afternoon. We are here today to hold a hearing
examining the ongoing GAO audit series of HHS cybersecurity
programs. Since the Committee submitted its request to GAO in
2013, GAO has performed three audits of major operating
divisions within HHS.
Today's hearing will provide an opportunity for the
Subcommittee to learn more about GAO's findings over this
series of audits, as well as the steps taken by HHS and its
operating divisions to respond to these findings. Given that
GAO has completed three of these audits, today's hearing will
also provide an opportunity to examine HHS cybersecurity roles
and responsibilities.
These GAO audits provide a valuable opportunity for HHS and
its operating divisions to reflect on its cybersecurity
capabilities and improve from one to the next. Today's hearing
will allow us to explore whether or not HHS has indeed taken
advantage of these opportunities in the way that we would
hope--and expect--that the Department has.
Given the sensitivity of some of the findings identified by
GAO, we have determined that it is appropriate for the bulk of
this hearing to take place in a closed session.
After opening remarks by Ranking Member DeGette, the
Subcommittee will vote to enter closed session and then proceed
from there.
I want to thank our witnesses for appearing today, and I
now recognize Ms. DeGette for any public comments before we
vote to go into closed session.
OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF COLORADO
Ms. DeGette. Thank you, Mr. Chairman.
As you know, this committee has conducted a series of
oversight work focused on cybersecurity, such as at the
Department of Energy and HHS. GAO is doing critical work in
testing the cyber defenses at various HHS agencies, and this
report is the latest in that series.
To that end, I look forward to examining these issues in
more detail in executive session and to hearing what
commitments these agencies can make to address the
vulnerabilities.
And, with that, I yield back.
Mr. Harper. Ms. DeGette yields back.
The chair recognizes himself for a unanimous consent
request and to offer a motion.
Because of the sensitive nature of this hearing,
particularly its implications for national security, and after
consultations with the minority, I will offer a motion that the
subcommittee go into executive session.
I yield to the ranking member for any comments on this
procedure.
Ms. DeGette. Thank you, Mr. Chairman.
As I stated before, given the sensitive nature of this
information, I support your motion.
Mr. Harper. The chair moves that, pursuant to clause 2(g)
of rule XI of the rules of the House, the remainder of this
hearing will be conducted in executive session to protect
information that might endanger national security.
Is there discussion on the motion?
Seeing none, if there is no discussion, pursuant to the
rule, a recorded vote is ordered. Pursuant to rule XI of the
U.S. House of Representatives, this will be a roll call vote.
The clerk call the roll.
The Clerk. Mr. Griffith?
Mr. Griffith. Aye.
The Clerk. Mr. Griffith votes aye.
Mr. Barton?
[No response.]
The Clerk. Mr. Burgess?
[No response.]
The Clerk. Mrs. Brooks?
Mrs. Brooks. Aye.
The Clerk. Mrs. Brooks votes aye.
Mr. Collins?
Mr. Collins. Aye.
The Clerk. Mr. Collins votes aye.
Mr. Walberg?
Mr. Walberg. Aye.
The Clerk. Mr. Walberg votes aye.
Mrs. Walters?
Mrs. Walters. Aye.
The Clerk. Mrs. Walters votes aye.
Mr. Costello?
[No response.]
The Clerk. Mr. Carter?
Mr. Carter. Aye.
The Clerk. Mr. Carter votes aye.
Chairman Walden?
[No response.]
The Clerk. Ms. DeGette?
Ms. DeGette. Aye.
The Clerk. Ms. DeGette votes aye.
Ms. Schakowsky?
[No response.]
The Clerk. Ms. Castor?
Ms. Castor. Aye.
The Clerk. Ms. Castor votes aye.
Mr. Tonko?
Mr. Tonko. Aye.
The Clerk. Mr. Tonko votes aye.
Ms. Clarke?
Ms. Clarke. Aye.
The Clerk. Ms. Clarke votes aye.
Mr. Ruiz?
Mr. Ruiz. Aye.
The Clerk. Mr. Ruiz votes aye.
Mr. Peters?
[No response.]
The Clerk. Mr. Pallone?
[No response.]
The Clerk. Chairman Harper?
Mr. Harper. Aye.
The Clerk. Chairman Harper votes aye.
Mr. Harper. Have all members been recorded?
The clerk will report the vote.
The Clerk. Mr. Chairman, on the vote, there were 12 ayes
and 0 nays.
Mr. Harper. The motion passes. The remainder of the hearing
will be closed to the public and open only to our witnesses, to
the members, and to essential staff.
We will briefly recess to clear the room.
[Whereupon, at 1:05 p.m., the subcommittee proceeded in
closed session.]
[Material submitted for inclusion in the record follows:]
Prepared statement of Hon. Greg Walden
Mr. Chairman, thank you for holding today's hearing. As you
explained, we are here today to examine the state of
cybersecurity at CDC, and what the findings of this audit may
mean for HHS cybersecurity more broadly. However, it is
important to keep in mind that the issues and potential
consequences of GAO's findings at the CDC go far beyond simply
deficient technical controls.
In 2013, this Committee requested that the GAO examine in
detail the information security controls at four key HHS
agencies--CMS, FDA, CDC, and NIH. Three of those audits are now
complete, and the NIH is up next. Two years ago, upon the
release of the FDA audit, the Committee had to call FDA senior
leadership in a snowstorm to impress upon them to importance of
closing the 165 vulnerabilities--many of them incredibly
serious-identified by that GAO audit immediately.
We had hoped that the CDC audit would be better, but in
many ways it is worse. Not only are there more technical
recommendations--184 in this case--but they are more severe.
And, nearly a quarter of them appear to be duplicative of the
vulnerabilities in the FDA audit. That includes, by the way,
the vulnerability that caused the Committee to call over to FDA
in a snowstorm.
CDC today will discuss their efforts to date to remediate
the findings cited by GAO once GAO made them aware of the
various issues. I am glad that the CDC recognizes the severity
of the GAO's findings, and is aggressively moving to mitigate
these vulnerabilities. CDC also engaged a US-CERT ``hunt'' team
at the Committee's request to investigate potential intrusions.
When I spoke with Dr. Redfield yesterday he told me that fixing
these problems is a top priority.
We have many questions that I hope we can get answers to
today. For example, why did it take a third-party audit to
highlight the significant dangers that CDC's information
technology strategy created? Why didn't CDC recognize this
danger itself? And finally, if these findings and their
potential consequences were fully recognized over a year ago,
why wasn't the Committee told until the release of the
restricted report last month?
Chairman Harper highlighted some of the concerns around
certain vulnerabilities like Finding 38, which CDC has
confirmed existed in its vulnerable configuration for nearly 7
years. The implications of this finding are astounding. For
nearly 7 years, Finding 38 may have allowed a remote, Internet-
based attacker to access any CDC server, workstation, or other
networked device, including such CDC systems as the ones on
which the Federal Select Agent Platform or the Strategic
National Stockpile program depend. These are serious threats
with potentially grave consequences. And to make things worse,
8 other GAO findings suggest that CDC's audit and intrusion
detection capabilities were, and remain, so poor that CDC may
not have detected whether Finding 38 or other critical findings
were leveraged to penetrate the CDC.
The severity of the findings at CDC show that we are still
viewing cybersecurity as primarily a ``tech'' problem, when in
fact we have moved far beyond that. The vulnerabilities at CDC
were not merely a missing IT control deserving of a failing
audit grade, but a national security threat. And because the
appropriate amount of weight was not given to that fact a year
ago, we are now even less well-positioned to understand what
may have happened to--or, perhaps more accurately, who got
inside--CDC's networks in the nearly 7 years that the Finding
38 vulnerability existed.
I greatly appreciate the hard work of the GAO, and I know
the CDC does as well. The team that has done these audits at
the Committee's request does incredible work. We must not lose
sight of the context in which these vulnerabilities exist.
There are malicious actors that wish to cause us great harm,
and have already exploited vulnerabilities across the Federal
Government. This hearing is a critical step in gaining a better
understanding of what happened, so that we many ensure that all
parties understand the potential consequences, and we may
better position ourselves to ensure that it doesn't happen
again.
I want to thank our witnesses for testifying and look
forward to today's discussion. Thank you, and I yield back.
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]